Risky Business Part 1: A checklist for managing Third Party Risk

IANS Enterprise Clients are a very diverse group if you look at them based on size, industry, security  budget, and maturity level of security organization. Speaking with our clients as often as I do, what I find interesting is that despite this profound diversity, there exist many common areas of interest for a majority of companies – and one of those areas is third party risk.

For many of our clients, when they think “Third Party Risk” they think cloud – software as a service or infrastructure as a service. While it’s true that cloud service providers do expose an enterprise to third party risk, they are just the next in a long line of extended relationships that present risk that must be managed over time.

For companies looking for tools and techniques to more effectively manage their third party risk we normally suggest they begin with the FDIC Guidance For Managing Third Party Risk issued in June 2008 (FDIC:FIL-44-2008). Financial Institutions covered by the FDIC have been subject to oversight by that agency in the ways that they manage third party relationships, and the
risks resulting in those relationships since the guidance was issued.

FDIC’s Financial Institution Letter is very comprehensive in its scope.  It directs that formal risk management activities take place with any third party where the relationship is new. How does an organization determine whether a partner
should be subject to such a review? The key is when the relationship:

·        
Implements new banking activities

·        
Has material effect on revenues or expenses

·        
Performs critical functions

·        
Stores, accesses, transmits or performs transactions
on sensitive customer information

·        
Markets bank products or services

·        
Provides a product or service involving
subprime lending or card payment transactions

·        
Poses risks that could significantly affect
earnings or capital

For better or worse, regulations that are passed
successfully tend to be copied and propagated. We at IANS are advising clients
in healthcare and critical infrastructure to assume that these regulations are
on their way. It may also be coming to state privacy and data breach legislation
– it’s already included in Mass General Law Chapter 93h/MA CMR 201.  Financial institutions most often have
programs up and running – only time will tell if they have the ability to
devote adequate resources to keep those programs functioning in order to meet
FDIC mandates.

If your company is looking to address third party risk in
a meaningful way here are some guiding principles to help you ensure early
success and avoid execution failures.

• Focus
  on the new: Performing risk assessments on
  existing vendors can lead to road blocks. If deficiencies are found, there
  is little leverage available to get them to address gaps or make
  enhancements. The contract may also not provide remedies other than
  termination, and the business will not likely support pulling out of a
  functioning relationship to address security concerns unless the business
  or regulatory pressures are sufficient to warrant an interim review. In
  these cases, a focus on key vendors and third parties who are coming up
  for renewal may provide some leverage, however, to avoid finding your
  organization in this position in the future, exercise rigor on vendors who
  are new to the organization. Now is an excellent time to prove value to
  your organization by showing how your professional insights as a
  Security/Risk thought leader can help them reduce risk and improve
  security, availability, performance or all of the above.
• Prioritize:
  It’s likely your company has more vendor relationships to review then you
  have staff available to review them. Focus on the vendor relationships
  that pose the greatest risk to your business. And when you define risk,
  ensure that the risk is one the business would agree with, not just how
  security perceives it. If you require agreement on how to deploy resources
  best to demonstrate that you are focused on risk with a high degree of
  business sensitivity. That usually means concentrating on customer data
  that would be subject to privacy breach disclosure requirements. Others to
  consider would be vendors who face the customer on behalf of your company
  or who provide a key service to your company where there is a high cost of
  outage or business interruption. Look to your internal risk assessment
  programs and leverage those methodologies to drive the vendor risk
  assessment program. If you need assistance with getting an internal risk
  assessment program set up the IANS faculty may be able to help you.
• Define
  Nature of Risk: Knowing which risk categories are key
  business drivers will help you identify the vendors most important to your
  business. Some key types of risk that should be considered would include;

1.     Profitability/Earning
Risk –failure of the vendor could impact revenue stream from key partnerships,
ventures, products and services or ability to achieve key strategic goals.

2.     Reputational
Risk – failure of the vendor could lead to negative public opinion – either
about nature/quality of service or ability to deliver implicit or implied value
to customers or partners.

3.     Operational
Risk – failure of the vendor could lead to loss of automation and require
significant manual effort and associated expense.

4.     Service
Delivery Risk – lack of capacity might not lead to a complete failure as in
operational risk but may impact the ability to deliver key services to
customers in a timely fashion and cause negative impacts including loss of
revenue, transaction abandonment, penalties, fees and customer dissatisfaction.

5.     Credit/Financial
Risk – failure of the vendor may expose the company to direct financial
exposures – especially in the case of joint ventures where the company provides
financial guarantees or where the presence of the vendor limits liability. Think
of the loss of futures contracts on material prices if the issuing bank should
close or become insolvent.

6.     Compliance
risk – failure of the vendor may expose the company to violation of laws, rules or regulations. This might include GLB, SOX, PCI, HIPAA or FINRA.

Information security never works well in a vacuum. Being tied into the overall objectives of your enterprise – as defined by business leaders, compliance, purchasing and legal – are the ways that you can demonstrate that your third party risk management program is properly aligned.